802.1x Support

Introduction to the 802.1X Authentication

IEEE 802.1X port-based authentication is configure on a device to prevent unauthorized devices from gaining access to the network. The device can combine the function of a router, switch, and access point, depending on the fixed configuration. Any device connecting to a switch port where 802.1X authentication is enabled must go through relevant EAP authentication model to start exchanging traffic.

Currently, the Cisco Wave 2 and Wi-Fi 6 (802.11AX) APs support 802.1X authentication with switch port for EAP-FAST, EAP-TLS and EAP-PEAP methods. Now, you can enable configurations and provide credentials to the AP from the controller .


Note


If the AP is dot1x EAP-FAST, when the AP reboots, it should perform an anonymous PAC provision. For performing PAC provision, the ADH cipher suites should be used to establish an authenticated tunnel. If the ADH cipher suites are not supported by radius servers, AP will fail to authenticate on reload.


EAP-FAST Protocol

In the EAP-FAST protocol developed by Cisco, in order to establish a secured TLS tunnel with RADIUS, the AP requires a strong shared key (PAC), either provided via in-band provisioning (in a secured channel) or via out-band provisioning (manual).


Note


The EAP-FAST type configuration requires 802.1x credentials configuration for AP, since AP will use EAP-FAST with MSCHAP Version 2 method.

Note


Local EAP is not supported on the Cisco 7925 phones.



Note


In Cisco Wave 2 APs, for 802.1x authentication using EAP-FAST after PAC provisioning (caused by the initial connection or after AP reload), ensure that you configure the switch port to trigger re-authentication using one of the following commands: authentication timer restart num or authentication timer reauthenticate num.


Starting from Cisco IOS XE Amsterdam 17.1.1, TLS 1.2 is supported in EAP-FAST authentication protocol.

EAP-TLS/EAP-PEAP Protocol

The EAP-TLS protocol or EAP-PEAP protocol provides certificate based mutual EAP authentication.

In EAP-TLS, both the server and the client side certificates are required, where the secured shared key is derived for the particular session to encrypt or decrypt data. Whereas, in EAP-PEAP, only the server side certificate is required, where the client authenticates using password based protocol in a secured channel.


Note


The EAP-PEAP type configuration requires Dot1x credentials configuration for AP; and the AP also needs to go through LSC provisioning. AP uses the PEAP protocol with MSCHAP Version 2 method.


Limitations of the 802.1X Authentication

  • 802.1X is not supported on dynamic ports or Ethernet Channel ports.

  • 802.1X is not supported in a mesh AP scenario.

  • There is no recovery from the controller on credential mismatch or the expiry/invalidity of the certificate on AP. The 802.1X authentication has to be disabled on the switch port to connect the AP back to fix the configurations.

  • There are no certificate revocation checks implemented on the certificates installed in AP.

  • Only one Locally Significant Certificates (LSC) can be provisioned on the AP and the same certificate must be used for CAPWAP DTLS session establishment with controller and the 802.1X authentication with the switch. If global LSC configuration on the controller is disabled; AP deletes LSC which is already provisioned.

  • If clear configurations are applied on the AP, then the AP will lose the 802.1X EAP type configuration and the LSC certificates. AP should again go through staging process if 802.1X is required.

  • 802.1X for trunk port APs on multi-host authentication mode is supported. Network Edge Authentication Topology (NEAT) is not supported on COS APs.

Topology - Overview

The 802.1X authentication events are as follows:

  1. The AP acts as the 802.1X supplicant and is authenticated by the switch against the RADIUS server which supports EAP-FAST along with EAP-TLS and EAP-PEAP. When dot1x authentication is enabled on a switch port, the device connected to it authenticates itself to receive and forward data other than 802.1X traffic.

  2. In order to authenticate with EAP-FAST method, the AP requires the credentials of the RADIUS server. It can be configured at the controller , from where it will be passed on to the AP via configuration update request. For, EAP-TLS or EAP-PEAP the APs use the certificates (device/ID and CA) made significant by the local CA server.

Figure 1. Figure: 1 Topology for 802.1X Authentication

Configuring 802.1X Authentication Type and LSC AP Authentication Type (GUI)

Procedure


Step 1

Choose Configuration > Tags & Profiles > AP Join.

Step 2

On the AP Join Profile page, click Add.

The Add AP Join Profile page is displayed.

Step 3

In the AP > General tab, navigate to the AP EAP Auth Configuration section.

Step 4

From the EAP Type drop-down list, choose the EAP type as EAP-FAST, EAP-TLS, or EAP-PEAP to configure the dot1x authentication type.

Step 5

From the AP Authorization Type drop-down list, choose the type as either CAPWAP DTLS + or CAPWAP DTLS.

Step 6

Click Save & Apply to Device.


Configuring 802.1X Authentication Type and LSC AP Authentication Type

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ap profile profile-name

Example:

Device(config)# ap profile new-profile

Specify a profile name.

Step 4

dot1x {max-sessions | username | eap-type | lsc-ap-auth-state}

Example:

Device(config-ap-profile)# dot1x eap-type

Configures the dot1x authentication type.

max-sessions: Configures the maximum 802.1X sessions initiated per AP.

username: Configures the 802.1X username for all Aps.

eap-type: Configures the dot1x authentication type with the switch port.

lsc-ap-auth-state: Configures the LSC authentication state on the AP.

Step 5

dot1x eap-type {EAP-FAST | EAP-TLS | EAP-PEAP}

Example:

Device(config-ap-profile)# dot1x eap-type 

Configures the dot1x authentication type: EAP-FAST, EAP-TLS, or EAP-PEAP.

Step 6

dot1x lsc-ap-auth-state {CAPWAP-DTLS | Dot1x-port-auth | Both}

Example:

Device(config-ap-profile)#dot1x lsc-ap-auth-state Dot1x-port-auth 

Configures the LSC authentication state on the AP.

CAPWAP-DTLS: Uses LSC only for CAPWAP DTLS.

Dot1x-port-auth: Uses LSC only for dot1x authentication with port.

Both: Uses LSC for both CAPWAP-DTLS and Dot1x authentication with port.

Step 7

end

Example:

Device(config-ap-profile)# end 

Exits the AP profile configuration mode and enters privileged EXEC mode.

Configuring the 802.1X Username and Password (GUI)

Procedure


Step 1

Choose Configuration > Tags & Profiles > AP Join.

Step 2

On the AP Join page, click the name of the AP Join profile or click Add to create a new one.

Step 3

Click the Management tab and then click the Credentials tab.

Step 4

Enter the local username and password details.

Step 5

Choose the appropriate local password type.

Step 6

Enter 802.1X username and password details.

Step 7

Choose the appropriate 802.1X password type.

Step 8

Enter the time in seconds after which the session should expire.

Step 9

Enable local credentials and/or 802.1X credentials as required.

Step 10

Click Update & Apply to Device.


Configuring the 802.1X Username and Password (CLI)

The following procedure configures the 802.1X password for all the APs:

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

ap profile profile-name

Example:

Device(config)# ap profile new-profile

Specify a profile name.

Step 4

dot1x {max-sessions | username | eap-type | lsc-ap-auth-state}

Example:

Device(config-ap-profile)# dot1x eap-type

Configures the dot1x authentication type.

max-sessions: Configures the maximum 802.1X sessions initiated per AP.

username: Configures the 802.1X username for all Aps.

eap-type: Configures the dot1x authentication type with the switch port.

lsc-ap-auth-state: Configures the LSC authentication state on the AP.

Step 5

dot1x username <username> password {0 | 8} <password>

Example:

Device(config-ap-profile)#dot1x username username password 0 password 

Configures the dot1x password for all the APs.

0: Specifies an unencrypted password will follow.

8: Specifies an AES encrypted password will follow.

Enabling 802.1X on the Switch Port

The following procedure enables 802.1X on the switch port:

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

aaa new-model

Example:

Device(config)# aaa new-model

Enables AAA.

Step 4

aaa authentication dot1x {default | listname} method1[method2...]

Example:

Device(config)# aaa authentication dot1x default group radius

Creates a series of authentication methods that are used to determine user privilege to access the privileged command level so that the device can communicate with the AAA server.

Step 5

aaa authorization network group

Example:

aaa authorization network group

Enables AAA authorization for network services on 802.1X.

Step 6

dot1x system-auth-control

Example:

Device(config)# dot1x system-auth-control

Globally enables 802.1X port-based authentication.

Step 7

interface type slot/port

Example:

Device(config)# interface fastethernet2/1

Enters interface configuration mode and specifies the interface to be enabled for 802.1X authentication.

Step 8

authentication port-control {auto | force-authorized | force-unauthorized}

Example:

Device(config-if)# authentication port-control auto

Enables 802.1X port-based authentication on the interface.

auto—Enables IEEE 802.1X authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port changes from down to up or when an EAPOL-start frame is received. The Device requests the identity of the supplicant and begins relaying authentication messages between the supplicant and the authentication server. Each supplicant attempting to access the network is uniquely identified by the Device by using the supplicant MAC address.

force-authorized-—Disables IEEE 802.1X authentication and causes the port to change to the authorized state without any authentication exchange required. The port sends and receives normal traffic without IEEE 802.1X-based authentication of the client. This is the default setting.

force-unauthorized—Causes the port to remain in the unauthorized state, ignoring all attempts by the supplicant to authenticate. The Device cannot provide authentication services to the supplicant through the port.

Step 9

dot1x pae [supplicant | authenticator | both]

Example:

Device(config-if)# dot1x pae authenticator

Enables 802.1X authentication on the port with default parameters.

Step 10

end

Example:

Device(config-if)# end

Enters privileged EXEC mode.

Verifying 802.1X on the Switch Port

The following show command displays the authentication state of 802.1X on the switch port:
Device# show dot1x all
Sysauthcontrol             Enabled
Dot1x Protocol Version     2
Dot1x Info for FastEthernet1
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both 
HostMode                  = MULTI_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Device#

Verifying the Authentication Type

The following show command displays the authentication state of an AP profile:
Device#show ap profile <profile-name> detailed ?
  chassis  Chassis
  |        Output modifiers
  <cr>

Device#show ap profile <profile-name> detailed

  AP Profile Name        : default-ap-profile
  Description            : default ap profile
  …
  Dot1x EAP Method       : [EAP-FAST/EAP-TLS/EAP-PEAP/Not-Configured]
  LSC AP AUTH STATE      : [CAPWAP DTLS / DOT1x port auth / CAPWAP DTLS + DOT1x port auth